Permissions (page)

Developing with Concrete
1

Hi,

I’ve picked up ConcreteCMS again and it seems that I have a problem with using permissions.

I have several usergroups, for now we will use GROUP1 and GROUP2.
I have created a single page (programmatically) and set the view_page to INCLUDE GROUP1 and EXCLUDE GROUP2

When checking the permissions on the page in the dashboard, the permissions are set correctly.

Now I have a user that is both in GROUP1 and GROUP2. I was expecting that the user would have had access to this page, because it is in GROUP1. Unfortunately, the access is denied. Debugging tells me that this user is also in the GUEST group, and because this is the “last” group being handled, the user has been denied access.

I;ve checked the code in \Concrete\Core\Permission\Access\Access.php and debugged the funtion:

/**
     * @param \Concrete\Core\Permission\Access\Entity\Entity[] $accessEntities
     *
     * @return bool
     */
    public function validateAccessEntities($accessEntities)
    {
        $valid = false;
        $accessEntities = $this->validateAndFilterAccessEntities($accessEntities);
        $list = $this->getAccessListItems(PermissionKey::ACCESS_TYPE_ALL, $accessEntities);
        $list = PermissionDuration::filterByActive($list);
        foreach ($list as $l) {
            switch ($l->getAccessType()) {
                case PermissionKey::ACCESS_TYPE_INCLUDE:
                    $valid = true;
                    break;
                case PermissionKey::ACCESS_TYPE_EXCLUDE:
                    $valid = false;
                    break;
            }
        }

        return $valid;
    }

With this function, only the LAST access entity is being used. And in my case, that is GROUP2; excluding this user.

Shouldn’t this be done different? Always deny ($valid = false) and check $l in the foreach loop. When this is INCLUDE, $valid should be true and we can break out of the foreach.

/**
     * @param \Concrete\Core\Permission\Access\Entity\Entity[] $accessEntities
     *
     * @return bool
     */
    public function validateAccessEntities($accessEntities)
    {
        $valid = false;
        $accessEntities = $this->validateAndFilterAccessEntities($accessEntities);
        $list = $this->getAccessListItems(PermissionKey::ACCESS_TYPE_ALL, $accessEntities);
        $list = PermissionDuration::filterByActive($list);
        foreach ($list as $l) {
            if ($l->getAccessType() === PermissionKey::ACCESS_TYPE_INCLUDE) {

               // User has access. 
               $valid = true;

               // We now know that user has access, that will do.
                    break;
            }
        }

        return $valid;
    }

I’m using 8.5.5.

May be I am missing something?

With kind regards,

Sven.

2

You don’t need to explicitly exclude Guests. Just make sure Guests in not included.

If you look down through other default permissions for editing etc, they just list Administrators, they don’t explicitly exclude Guests. You can do the same for ‘View’ of your page.

3

Thanks John,

But when I set the permissions programmatically (eg within the install of a package), I only can INCLUDE or EXCLUDE permissions, so I was thinking that it was a good practice to exclude the guests. Should I “reset” permissions first or something like that?

4

That is not something I have ever done. I would guess you are on the correct lines, to remove or reset. If there is nothing in the docs its down to archaeology on the code.

5

ah, stupid me…

Instead of “assignPermissions” with EXCLUDE, just use “removePermissions”. Already used that in an older project.

Thanks for your replies!

6

Well, not the solution…

When setting advanced permissions and permissions on the page, it won’t load.

I see an js error like: d.$element.find(…).dialog is not a function. Reloading the page will not happen at all.

Nobody experienced this? Very annoying! Can’t use permissions for now.